US6535879B1ExpiredUtility

Access control via properties system

91
Assignee: NETSCAPE COMM CORPPriority: Feb 18, 2000Filed: Feb 18, 2000Granted: Mar 18, 2003
Est. expiryFeb 18, 2020(expired)· nominal 20-yr term from priority
G06F 2221/2141Y10S707/99939H04L 63/101G06F 21/604G06F 21/6218
91
PatentIndex Score
93
Cited by
7
References
12
Claims

Abstract

An access control via properties system provides ACL rules based on the properties associated with the entries, thereby taking advantage of the fact that there are inherent properties associated with each entry and does not require any changes to the schema. Once the server supports the invention, the system administrator creates a few simple ACL rules and is done. The invention structures the ACL rule such that it indicates the attributes that the administrator has selected for user access and specifies the type of access to be granted to a user which can include: read, write, or any other privileges that the system supports. The desired attributes that the user must have to be granted such access is also listed along with the attribute fieldname associated with the desired attributes. The directory server will match the desired attributes within the specified attribute fieldname with the user's attributes and allows access to the directory entry only if the user has the desired attribute values. Alternatively, a match function can be specified for the desired attributes where the directory server matches the desired attributes with the user and the owner of the list of attributes and allows access to the directory entry only if the both the user and the owner have the desired attribute values. When a user accesses a directory entry, the directory server selects and analyzes a specific access control command according to the attribute being accessed.

Claims

exact text as granted — not AI-modified
What is claimed is:  
     
       1. A process for a property-based access control language that controls access to directory entries in a computer environment, comprising the steps of: 
       providing a system administrator defined access control command;  
       said access control command lists the attribute values that said administrator has selected for user access;  
       said access control command specifies the type of access to be granted to a user; and  
       said access control command specifies the desired attribute values that said user must have to be granted said type of access;  
       wherein the specific attribute fieldname associated with said desired attributes is specified; and wherein the directory server matches said desired attributes of said specific attribute fieldname with said user's attributes and allows access only if said user has said desired attributes.  
     
     
       2. The process of  claim 1 , wherein said type of access includes, but is not limited to: read, write, and any other privileges that the system supports. 
     
     
       3. The process of  claim 1 , wherein the directory server selects and analyzes a specific access control command according to the attribute being accessed. 
     
     
       4. A process for a property-based access control language that controls access to directory entries in a computer environment, comprising the steps of: 
       providing a system administrator defined access control command;  
       said access control command lists the attribute values that said administrator has selected for user access;  
       said access control command specifies the type of access to be granted to a user; and  
       said access control command specifies the desired attribute values that said user must have to be granted said type of access;  
       wherein a match function is specified for said desired attributes; and wherein the directory server matches said desired attributes with said user and the owner of said list of attributes and allows access only if the two have said desired attributes.  
     
     
       5. An apparatus for a property-based access control language that controls access to directory entries in a computer environment, comprising: 
       a system administrator defined access control command;  
       said access control command lists the attribute values that said administrator has selected for user access;  
       said access control command specifies the type of access to be granted to a user; and  
       said access control command specifies the desired attribute values that said user must have to be granted said type of access;  
       wherein the specific attribute fieldname associated with said desired attributes is specified; and wherein the directory server matches said desired attributes of said specific attribute fieldname with said user's attributes and allows access only if said user has said desired attributes.  
     
     
       6. The apparatus of  claim 5 , wherein said type of access includes, but is not limited to: read, write, and any other privileges that the system supports. 
     
     
       7. The apparatus of  claim 5 , wherein the directory server selects and analyzes a specific access control command according to the attribute being accessed. 
     
     
       8. An apparatus for a property-based access control language that controls access to directory entries in a computer environment, comprising: 
       a system administrator defined access control command;  
       said access control command lists the attribute values that said administrator has selected for user access;  
       said access control command specifies the type of access to be granted to a user; and  
       said access control command specifies the desired attribute values that said user must have to be granted said type of access;  
       wherein a match function is specified for said desired attributes; and wherein the directory server matches said desired attributes with said user and the owner of said list of attributes and allows access only if the two have said desired attributes.  
     
     
       9. A program storage medium readable by a computer, tangibly embodying a program of instructions executable by the computer to perform method steps for a property-based access control language that controls access to directory entries in a computer environment, comprising the steps of: 
       providing a system administrator defined access control command;  
       said access control command lists the attribute values that said administrator has selected for user access;  
       said access control command specifies the type of access to be granted to a user; and  
       said access control command specifies the desired attribute values that said user must have to be granted said type of access;  
       wherein the specific attribute fieldname associated with said desired attributes is specified; and wherein the directory server matches said desired attributes of said specific attribute fieldname with said user's attributes and allows access only if said user has said desired attributes.  
     
     
       10. The process of  claim 9 , wherein said type of access includes, but is not limited to: read, write, and any other privileges that the system supports. 
     
     
       11. The process of  claim 9 , wherein the directory server selects and analyzes a specific access control command according to the attribute being accessed. 
     
     
       12. A program storage medium readable by a computer, tangibly embodying a program of instructions executable by the computer to perform method steps for a property-based access control language that controls access to directory entries in a computer environment, comprising the steps of: 
       providing a system administrator defined access control command;  
       said access control command lists the attribute values that said administrator has selected for user access;  
       said access control command specifies the type of access to be granted to a user; and  
       said access control command specifies the desired attribute values that said user must have to be granted said type of access;  
       wherein a match function is specified for said desired attributes; and wherein the directory server matches said desired attributes with said user and the owner of said list of attributes and allows access only if the two have said desired attributes.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.